VMware: The rise and rise of deepfakes, cyber-extortion, and attacks on APIs

• VMware said two out of three respondents saw malicious deepfakes used as part of an attack, a 13% increase from last year, with email being the top delivery method.
• APIs are the new endpoint, representing the next frontier for attackers while lateral movement is the new battleground.
• 65% of defenders said that cyber-attacks have increased since Russia invaded Ukraine.

Russia’s invasion of Ukraine, that began in February, 2022, didn’t only result in a war — it led to coordinated cyber-attacks as part of the offensive. The co-ordination of the attacks made it apparent that hybrid warfare is the new reality, and that geopolitics and cybersecurity are inextricably linked. This is especially evident in the latest ‘Global Incident Response Threat Report’ by VMware, that highlights how cyber-attacks have significantly increased since Russia invaded Ukraine.

Launched during this year’s Black Hat event held in the US, the eighth annual Global Incident Response Threat Report, took a deep dive into the challenges faced by security teams amid pandemic disruptions, burnout, and geopolitically motivated cyber-attacks. “65% of defenders state that cyber-attacks have increased since Russia invaded Ukraine,” VMware said. 

The report also shines a light on emerging threats such as deepfakes, attacks on APIs, and cybercriminals targeting incident responders themselves. VMware Principal Cybersecurity Strategist Rick McElroy noted that “Cybercriminals are now incorporating deepfakes into their attack methods to evade security controls.” In fact, two out of three respondents in the report saw malicious deepfakes used as part of an attack, a 13% increase from last year, with email as the top delivery method. 

Cybercriminals have evolved beyond using synthetic video and audio simply for influence operations or disinformation campaigns. “Their new goal is to use deepfake technology to compromise organizations and gain access to their environment,” McElroy said. The findings of the report are based on an online survey about trends in the incident response landscape in June 2022, and VMware interviewed 125 cybersecurity and incident response professionals from around the world. 

In February, for instance, VMware saw a new type of malware (named HermeticWiper) deployed in one of the largest targeted attacks in history focused solely on the destruction of critical information and resources. The attack is part of a growing list of destructive malware deployed against Ukraine, as noted in a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

VMware: Other mounting threats

This year’s report delves into a number of other threat areas, including the mounting risks posed by deepfakes, container and cloud vulnerabilities, API security systems, business email compromises (BECs), and extortionary ransomware attacks, VMware said. “The ability of threat actors to move around networks, evade security teams, and leverage these various platforms and attack methods to further penetrate networks and distribute attacks only exacerbates these risks,” the report noted.

Zero-day exploits also show no signs of abating after record levels last year: 62% of respondents said they had experienced such attacks in the past 12 months, up from 51% in 2021. This surge can be attributed to geopolitical conflict, too. “Zero-days are expensive to make—and once they’re used, they’re not as useful again,” McElroy explained. “Nation states are therefore prime drivers behind the zero-day market, particularly during saber-rattling moments like this.”

VMware also noted that cyber-professional burnout remains a critical issue, with 47% of incident responders saying they experienced burnout or extreme stress in the past 12 months, down slightly from 51% last year. Of this group, 69% (versus 65% in 2021) of respondents have considered leaving their job as a result. On top of that, lateral movement is emerging as the new battleground, as it is seen in 25% of all attacks.

Besides that, the survey also found that ransomware actors are incorporating cyber extortion strategies. “The predominance of ransomware attacks, often buttressed by e-crime groups’ collaborations on the dark web, has yet to let up. 57% of respondents have encountered such attacks in the past 12 months, and two-thirds (66%) have encountered affiliate programs and/or partnerships between ransomware groups as prominent cyber cartels continue to extort organizations through double extortion techniques, data auctions, and blackmail,” the report noted.

APIs, which allow two software components to communicate with each other, are also increasingly under threat. In fact, VMware referred to APIs as a “promising new endpoint” for cyber-attacks. Among attacks with which the respondents engaged, 23% involved a compromised API. Data exposure was the most common type of API compromise of the year, seen by 42% of respondents, followed by SQL injection (37%), API injection (34%) and DDoS attacks (33%). 

What is also worrying is the fact that malicious insider attacks—in which an organization’s current or former employee, contractor or business partner uses their access to critical assets to facilitate an attack—are on the rise. “Our survey found that 41% of respondents encountered attacks involving insiders over the past year, underscoring the increasingly critical nature of talent management when it comes to cybersecurity controls,” VMware said.